Skip to content

OfflRouter malware targets Ukrainian organisations with document lures

  • by
  • 4 min read

Illustration: Suttipun | Shutterstock

A decade-old malware, OfflRouter, has emerged as a significant cybersecurity threat. It targets organisations based in Ukraine using document-based lures. This sophisticated malware employs advanced techniques and specific infection mechanisms, underscoring the evolving tactics used by cybercriminals to infiltrate networks and access sensitive information.

The lures were created using legitimate documents and adding malicious content that trigger malware execution and download on the system.

Cybersecurity experts found documents containing malicious Visual Basic for Applications (VBA) code during the investigation. These documents, originating from Ukraine, raised immediate red flags due to their potential to act as lures for infecting organisations.

Once a user opens an infected document and macros (a common requirement for executing VBA code) are enabled, OfflRouter’s infection process begins. The malware’s VBA code is designed to drop and execute an executable file named ctrlpanel.exe, which is the attack’s main component.

Upon execution, ctrlpanel.exe initiates several processes to ensure its persistence and functionality within the compromised system. It attempts to set registry keys that allow it to run on system startup, ensuring that the malware remains active even after the system reboots.

The attack chain. | Source: Cisco Intelligence

OfflRouter goes beyond infecting the initial document. It actively searches for other Word documents on the system, both on fixed and removable drives, to further propagate its malicious payload. This propagation method maximises the malware’s reach and impact within the targeted network.

One notable aspect of OfflRouter’s operation is its unique code-generation technique. The malware generates VBA code dynamically, combining hard-coded strings with encoded bytes of the ctrlpanel.exe binary. This dynamic code generation makes detection and analysis more challenging, as the generated code varies with each infection cycle.

OfflRouter exhibits advanced functionality by searching for potential plugins on removable media. This feature, uncommon in typical document-based malware, indicates higher sophistication and ambition for the malware author. Loading plugins further enhances the malware’s capabilities and potential impact.

According to researchers, OfflRouter bears the hallmarks of an inventive yet relatively inexperienced developer. The virus’s choice of infection mechanism, coding errors, and a lack of thorough testing point to the author’s limited expertise in cybercrime tactics.

A sample of the malicious document. | Source: Cisco Intelligence

“From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer,” noted researchers.

Researchers also discovered that some malicious documents were already uploaded to the Ukrainian National Police website in 2018 and have been publicly available since then.

The discovery of malicious document lures underscores a growing trend among threat actors targeting government and military entities. Researchers have previously uncovered similar lures, including military-themed documents in Ukrainian and Polish, designed to deploy remote access trojans (RATs) onto victims’ systems.

Despite its sophisticated design, OfflRouter has remained largely confined to Ukraine. This containment can be attributed to the virus’s limited spread capabilities, its focus on specific filename extensions like .doc, and its inability to propagate via email.

Researchers have urged organisations, especially those in Ukraine, to bolster their cybersecurity measures.

Government entities like the military have always been targets of hackers. In late March 2024, Operation FlightNight was reported to Have targeted the Indian defence, IT, and energy sectors.

In the News: OpenMetadata flaws exploited in cyberattacks targeting Kubernetes

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>